diff --git a/config/include/csp-header.conf b/config/include/csp-header.conf
new file mode 100644
index 0000000..bf9121c
--- /dev/null
+++ b/config/include/csp-header.conf
@@ -0,0 +1 @@
+ add_header Content-Security-Policy "$CSP_UPGRADE_INSECURE_REQUESTS $CSP_DEFAULT_SRC $CSP_BASE_URI $CSP_CONNECT_SRC $CSP_WORKER_SRC $CSP_FONT_SRC $CSP_SCRIPT_SRC $CSP_STYLE_SRC $CSP_OBJECT_SRC $CSP_FRAME_ANCESTORS";
diff --git a/config/nginx.auth.conf b/config/nginx.auth.conf
index ec9b102..aba8315 100644
--- a/config/nginx.auth.conf
+++ b/config/nginx.auth.conf
@@ -40,6 +40,8 @@ server {
 
     location /login {
         proxy_pass               $login_proxy;
+
+        include                  /etc/nginx/include/csp-header.conf;
     }
 
     location ~ ^/(logout|get-user)$ {
@@ -56,8 +58,7 @@ server {
         proxy_cache_bypass       $http_upgrade;
 
         include                  /etc/nginx/include/auth.conf;
-
-        add_header               Content-Security-Policy "$CSP_UPGRADE_INSECURE_REQUESTS $CSP_DEFAULT_SRC $CSP_BASE_URI $CSP_CONNECT_SRC $CSP_WORKER_SRC $CSP_FONT_SRC $CSP_SCRIPT_SRC $CSP_STYLE_SRC $CSP_OBJECT_SRC $CSP_FRAME_ANCESTORS";
+        include                  /etc/nginx/include/csp-header.conf;
     }
 
     location = /health {
diff --git a/config/nginx.off.conf b/config/nginx.off.conf
index ab6edc0..136b3cc 100644
--- a/config/nginx.off.conf
+++ b/config/nginx.off.conf
@@ -19,7 +19,7 @@ server {
         proxy_set_header    Host $host;
         proxy_cache_bypass  $http_upgrade;
 
-        add_header          Content-Security-Policy "$CSP_UPGRADE_INSECURE_REQUESTS $CSP_DEFAULT_SRC $CSP_BASE_URI $CSP_CONNECT_SRC $CSP_WORKER_SRC $CSP_FONT_SRC $CSP_SCRIPT_SRC $CSP_STYLE_SRC $CSP_OBJECT_SRC $CSP_FRAME_ANCESTORS";
+        include             /etc/nginx/include/csp-header.conf;
     }
 
     location = /health {